This document demonstrates how to form an IPsec tunnel with pre-shared keys to join two private networks: the 192.168.1.x private network inside the Cisco router and the 10.32.50.x private network inside the Checkpoint Firewall.

This sample configuration assumes that traffic from inside the router and inside the Checkpoint to the Internet (represented here by the 172.18.124.x networks) flows before you start the configuration.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Since the IKE and IPsec default lifetimes differ between vendors, select Properties > Encryption to set the Checkpoint lifetimes to agree with the Cisco defaults.

The Cisco default IKE lifetime is 86400 seconds (= 1440 minutes), and it can be modified by these commands:

crypto isakmp policy #

lifetime #

The configurable Cisco IKE lifetime is from 60-86400 seconds. The Cisco default IPsec lifetime is 3600 seconds, and it can be modified by the crypto ipsec security-association lifetime seconds # command.

This should agree with the source (first) network in the Cisco access-list 115 permit ip 192.168.1.0 0.0.0.255 10.32.50.0 0.0.0.255 command.

Select External under Location.

Select Manage > Network objects > New > Workstation to add an object for the external Cisco router gateway (called "cisco_endpoint"). This is the Cisco interface to which the crypto map name command is applied.

Select External under Location. For Type, select Gateway.

Note: Do not select the VPN-1/FireWall-1 check box.

Select Manage > Network objects > Edit to edit the Checkpoint gateway endpoint (called "RTPCPVPN") VPN tab. Under Domain, select Other and then select the inside of the Checkpoint network (called "cpinside") from the drop-down list. Under Encryption schemes defined, select IKE, and then click Edit.

Change the IKE properties for DES encryption to agree with these commands:

crypto isakmp policy #

encryption des

Note: DES encryption is the default so it is not visible in the Cisco configuration.

Change the IKE properties to SHA1 hashing to agree with these commands:

crypto isakmp policy #

hash sha

Note: The SHA hashing algorithm is the default so it is not visible in the Cisco configuration.

Change these settings:

De-select Aggressive Mode.

Check Supports Subnets.

Check Pre-Shared Secret under Authentication Method. This agrees with these commands:

crypto isakmp policy #

authentication pre-share

Click Edit Secrets to set the pre-shared key to agree with the Cisco crypto isakmp key key address address command:

On the IKE Properties window, change these properties to agree with the Cisco IPsec transforms in the crypto ipsec transform-set rtpset esp-des esp-sha-hmac command:

Under Transform, select Encryption + Data Integrity (ESP). The Encryption Algorithm should be DES, Data Integrity should be SHA1, and the Allowed Peer Gateway should be the external router gateway (called "cisco_endpoint"). Click OK.

After you configure the Checkpoint, select Policy > Install on the Checkpoint menu to have the changes take effect.

When multiple adjacent inside networks are configured in the encryption domain on the Checkpoint, the device might automatically summarize them with regard to interesting traffic. If the router is not configured to match, the tunnel is likely to fail. For example, if the inside networks of 10.0.0.0 /24 and 10.0.1.0 /24 are configured to be included in the tunnel, they might be summarized to 10.0.0.0 /23.